Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Vulnerabilities in Cisco's VoIP system

Vulnerabilities in Cisco's VoIP system

by Nikola Strahija on July 16th, 2005 Cisco Systems disclosed that a core component of its enterprise VoIP system is vulnerable to several serious security flaws.


The flaws could allow remote attackers to compromise a company's VOIP network, redirect or listen in on calls and carry out other nastiness, according to Cisco and Internet Security Systems (ISS), which discovered the flaws.

The bugs haven't yet been exploited, but they represent one of the most high-profile security threats in enterprise IP telephony today. Big companies are more interested in it every day, Gartner predicts that by 2007 97 percent of new enterprise phone systems installed in North America will be either VOIP or hybrid. Cisco leads the market at the moment, with a 42 percent share in North America, followed by Avaya with 14 percent, 3Com with 11 percent and Nortel with 9 percent, according to Gartner's research.

Cisco reported five separate security bugs in CallManager, the call-processing component of the Cisco IP telephony system. The most serious is in the aupair.exe service, which could allow a remote attacker to cause a buffer overflow and execute malicious code. Aupair.exe can't be disabled for normal CallManager use, Cisco said.

CallManager is vulnerable in its default configuration, and an attack could be carried out without the need for prior authentication, ISS said. -An attacker may be able to redirect calls or perform eavesdropping as a result of this compromise. Successful exploitation of this vulnerability could be used to gain unauthorized access to networks and machines with Cisco VoIP products, the security firm said in an advisory.

Cisco has released patches for the affected versions of CallManager, including 3.3 and earlier, 4.0 and 4.1. Its advisory and patching instructions are on Cisco's website.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »